EU Privacy and Electronic Communications (e-Privacy Directive)

Summary

Directive 2002/58 on Privacy and Electronic Communications, otherwise known as the ePrivacy Directive, safeguards the confidentiality of electronic communications in the EU. The ePrivacy Directive is a key instrument to protect privacy and it includes specific rules on data protection in the area of telecommunication in public electronic networks. The directive was adopted in 2002 with the aim to address the requirements of new digital technologies.

Background

The purpose of the legislation is to “complement and particularise” matters covered by the general data protection legislation of the EU (formerly the 1995 Directive on Data Protection, the predecessor of the General Data Protection Regulation).

On May 6, 2015, the European Commission adopted the Digital Single Market (DSM) Strategy, which includes that the review of the e-Privacy rules should follow the adoption of the General Data Protection Regulation. The e-Privacy Directive deals with a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This legislation aims to protect online privacy including browsing on the internet, using a mobile phone, wearables or other internet-connected devices. The comprehensive review of the directive has been long overdue.

The ePrivacy Directive was last updated in 2009 to provide clearer rules on customers' rights to privacy. The directive, however, has never worked optimally and the rules regulating cookies have failed to provide efficient safeguards.

The failure to meet the objectives of the directive is on the one hand due to fragmented implementation across EU member states. On the other hand, the rules have been poorly enforced and lawmakers could not keep up with the pace of development in technology. The law has left users vulnerable to consequences of the extensive usage of smartphone (app)s, online profiling, social media, and the explosion of the internet in general.

Digital rights organizations such as EDRi and Access Now all agree that the ePrivacy Directive is essential to protect the fundamental rights to privacy and data protection but the current legal instrument needs to be updated and upgraded.

The current e-Privacy Directive aims at complementing and particularising the Directive 95/46/EC on data protection. Similarly, the future framework will complete the recently adopted General Data Protection Regulation and provide protection for the right to private life as enshrined in Article 7 of the EU Charter of Fundamental Rights, which is not specifically covered by the scope of the GDPR. There is a need for specific protections to be articulated in the revision of the e-Privacy Directive.

Revision of the ePrivacy Directive

As the first step of the revision process, the European Commission launched a public consultation that ran from April through July of 2016. Civil society organizations participated in the consultation and have made several recommendations and requests the European Commission should take into consideration while working on the new proposal:

The new instrument replacing the ePrivacy Directive should be a Regulation, rather than a new Directive to ensure that it will be uniformly enforced across the EU.

Enhance protections for privacy of our communications — both content and metadata.

Data Protection Authorities should be in charge of enforcing the successor of the e-Privacy Directive instead of telecoms regulators.

Include a mandatory requirement for transparency reporting.

The new law should refer to the definitions of the GDPR.

The use of technical mechanisms such as "online tracking" or "behavioral advertising" should be clarified and updated.

References to “value added services” and “publicly available communication services” need to be reviewed in the light of recent technological developments.

Geographical information, traffic data, location data and any other personal data processed should be reduced to the least-precise (least-granular, least-invasive) type needed for the relevant (initial or subsequent) purpose for which they are collected and used and deleted as soon as they are no longer needed for the initial or subsequent purpose, in line with the principles of “data minimisation” and “purpose limitation”.

Over the Top Services

Digital rights organizations argue that the scope of the rules should be extended from telecoms services to Over the Top (OTT) services such as Google and Facebook. As Access Now has pointed out in its policy paper regarding the review of the ePrivacy Directive, “today, communication does not only take place over services provided by telecoms operators but also through similar services and applications offered by online services such as Line, Whatsapp, Skype, Google Hangout, Slack or Signal. In the past few years, traditional communications platforms such as phone and SMS have been overtaken by OTTs communications services, with more messaging being sent through their modern services. To further the point, studies have found that while services like Whatsapp - which count 800 million active users and handle more than 30 billion messages a day - continue growing, SMS volumes have declined all over the world.” As users increasingly rely on OTT services and applications to communicate, privacy rules ensuring the confidentiality of communications need to apply to this sector too.

EPIC's Interest

EPIC has a particular interest in protecting consumer privacy and has played a leading role in developing the authority of the Federal Trade Commission to address emerging privacy issues and to safeguard the privacy rights of consumers. From its early days, EPIC has worked to ensure that the Federal Trade Commission, the Federal Communications Commission, and other agencies help protect the privacy of consumer and Internet users.

For more than 20 years EPIC has worked with the Federal Communications Commission (FCC) to promote consumer privacy in the communications field. EPIC urged the FCC to apply a framework approach to communications privacy protection that may provide a good starting point to build a common framework for e-privacy and avoid the dramatic divergence that has arisen for consumer privacy.

The FCC’s current rulemaking is a modest first step to protect the privacy of consumers online, who for too long have been at the mercy of corporate self-regulation and weak FTC enforcement. EPIC has repeatedly called on the FCC to use the full extent of its rulemaking authority to provide robust privacy protections for our online communications.

EPIC, Letter to the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Communications and Technology in the matter of Hearing on “FCC Overreach: Examining the Proposed Privacy Rules” (June 13, 2016)